SlowMist: A malicious transaction exploiting the vulnerable EIP-7702 account was detected, resulting in a loss of approximately 54.93 ETH.

CoinFeed reported on April 29th that, according to SlowMist monitoring, a malicious transaction exploiting a vulnerable EIP-7702 account resulted in a loss of 1,988.5 QNT (approximately 54.93 ETH) from the QNT reserve pool. The root cause lies in the fact that an administrator account for a QNT reserve pool was held by an EOA address, which delegated its code to a BatchExecutor contract via the EIP-7702 mechanism. This BatchExecutor designated the permissionless BatchCall contract as the authorized caller. However, the BatchCall.batch() function was completely exposed without any permission checks, leading to an arbitrary call vulnerability that allowed attackers to steal QNT tokens from the reserve pool.